How to install and configure Ansible on Centos7

What is it?

Ansible is a radically simple IT automation engine that automates cloud provisioning, configuration management, application deployment, intra-service orchestration, and many other IT needs.

Designed for multi-tier deployments since day one, Ansible models your IT infrastructure by describing how all of your systems inter-relate, rather than just managing one system at a time.

It uses no agents and no additional custom security infrastructure, so it’s easy to deploy — and most importantly, it uses a very simple language (YAML, in the form of Ansible Playbooks) that allow you to describe your automation jobs in a way that approaches plain English.

How to install on Centos7

As Ansible now part of the Red Hat, the easiest ad official recommended way of installation is using the OS package manager.

Ansible is simple, agent-less automation system, means no extra software will need to be installed on managed nodes.

sudo yum install ansible

Managed Node Requirements

On the managed nodes, you need a way to communicate, which is normally ssh. By default, this uses sftp. If that’s not available, you can switch to scp in ansible.cfg. You also need Python 2 (version 2.6 or later) or Python 3 (version 3.5 or later).

  • If you have SELinux enabled on remote nodes, you will also want to install libselinux-python on them before using any copy/file/template related functions in Ansible. You can use the yum module or dnf module in Ansible to install this package on remote systems that do not have it.
  • By default, Ansible uses the python interpreter located at /usr/bin/python to run its modules. However, some Linux distributions may only have a Python 3 interpreter installed to /usr/bin/python3 by default. On those systems, you may see an error like: “module_stdout”: “/bin/sh: /usr/bin/python: No such file or directory\r\n” you can either set the ansible_python_interpreter inventory variable (see Working with Inventory) to point at your interpreter or you can install a Python 2 interpreter for modules to use. You will still need to set ansible_python_interpreter if the Python 2 interpreter is not installed to /usr/bin/python.
  • Ansible’s “raw” module (for executing commands in a quick and dirty way) and the script module don’t even need Python installed. So technically, you can use Ansible to install a compatible version of Python using the raw module, which then allows you to use everything else. For example, if you need to bootstrap Python 2 onto a RHEL-based system, you can install it via $ ansible myhost –become -m raw -a “yum install -y python2”

test to see if Ansible can access to the managed nodes.

$ ansible web -m ping -i inventory.ini
The authenticity of host 'ans-web-2.corp.diamondkey.com (10.1.10.98)' can't be established.
ECDSA key fingerprint is SHA256:VNy84tUHuqGp/3lbejaaxEVYgJJNLUzqHX7tKI0ZGH4.
ECDSA key fingerprint is MD5:71:57:22:9d:13:2d:33:5b:9c:47:8e:b2:75:43:69:a2.
Are you sure you want to continue connecting (yes/no)? yes
ans-web-2.corp.diamondkey.com | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Warning: Permanently added 'ans-web-2.corp.diamondkey.com,10.1.10.98' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
    "unreachable": true
}
ans-web-1.corp.diamondkey.com | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
    "unreachable": true
}

Configure SSH connection

By default, Ansible will try to use native OpenSSH for remote communication when possible. I will be keeping this default method for the communications.

Set Up SSH Keys

If you haven’t done so, the first step is to create the key pair on the machine that Ansible is installed.

$ ssh-keygen -t rsa -b 4096 -C "saeed@joulaei.com" 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/saeed/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/saeed/.ssh/id_rsa.
Your public key has been saved in /home/saeed/.ssh/id_rsa.pub.
The key fingerprint is:
yFZuTH4EoyFZuTH4EoyFZuTH4EoyFZuTH4EoyFZuTH4Eo saeed@joulaei.com
The key's randomart image is:
+--[ RSA 2048]----+
|          .oo.   |
|         .  o.E  |
|        + .  o   |
|     + = = .     |
|      = S = .    |
|     . + = +     |
|      . o + o .  |
|           . o   |
|                 |
+-----------------+

Copy the public key to the managed nodes

$ ssh-copy-id saeed@192.168.100.4
$ ssh-copy-id saeed@ans-web-1.local
$ ssh-copy-id saeed@ans-web-2.domain.com

You will need to enter your password on the managed node.

Also need to accept the host key to be added to the trusted hosts if this is the first time you connect to the managed node.

$ ssh-copy-id saeed@ans-web-2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/saeed/.ssh/id_rsa.pub"
The authenticity of host 'ans-web-2 (10.1.10.98)' can't be established.
ECDSA key fingerprint is SHA256:VNy84tUHuqGp/3lbejaaxEVYgJJNLUzqHX7tKI0ZGH4.
ECDSA key fingerprint is MD5:71:57:22:9d:13:2d:33:5b:9c:47:8e:b2:75:43:69:a2.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
saeed@ans-web-2's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'saeed@ans-web-2'"
and check to make sure that only the key(s) you wanted were added.

now test to see if ansible can access to the managed nodes

$ ansible web -m ping -i inventory.ini
ans-web-2.corp.diamondkey.com | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
ans-web-1.corp.diamondkey.com | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

Sample Inventory file (INI type)

192.168.100.4

[web]
ans-web-1
ans-web-2

[db]
ans-db-1
ans-db-2

sample playbook in (yaml)

---
- name: install and run my services
  hosts: all
  remote_user: saeed
#sudo is the default method anyway. so the next line can be removed.
  become_method: sudo
  become_user: root
#you can sudo to root globally here or for individual tasks under the specific task by become
  become: true
vars:
   http_port: 80
   max_clients: 200
 
  tasks:
   - name: install httpd
#you can sudo to root globally here or for individual tasks under the specific task by become
#     become: true
     yum:
       name: httpd
       state: latest
   - name: write apache config file
      template:
        src: srv/httpd.j2
        dest: /etc/httpd.conf
      notify:
   - restart apache
 
   - name: start httpd
       service:
         name: httpd
         state: running
 
   - name: install vmware tools
       yum:
         name: open-vm-tools
         state: latest
  handlers:
    - name: restart apache
        service:
          name: httpd
          state: restarted

run ansible playbooks

Now that everything is set up and ready, you can run playbooks on your target nodes.

ansible-playbook  my-centos-playbook.yml -i inventory.ini --limit 'web'

or just run a command

ansible web -i inventory.ini -m command -a '/sbin/reboot' -u saeed -b

this will run reboot command on all web hosts. Connect as saeed and then become root (-b)

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.